Security.

OWASP Top 10 for SaaS, webhook HMAC, 2FA / passkeys, and the security posture production teams need.

Two-factor authentication done right: TOTP, WebAuthn, and passkeys

SMS 2FA is deprecated, TOTP is table stakes, and passkeys are the 2026 default for any product that takes account security seriously. Here's how to pick, ship, and recover each method without creating a worse problem than the one you started with.

Read post

Security

Mar 4, 202611 min

Webhook security: HMAC verification, replay protection, and idempotency

Webhook endpoints are the most exposed public surface in most SaaS products. Here's how to verify HMAC signatures correctly, block replays, and handle duplicate deliveries without double-processing a single event.

Read post

Security

Feb 12, 202612 min

OWASP Top 10 for SaaS applications in 2026

The OWASP Top 10 is the baseline every SaaS team should audit against. Here's the 2026 list translated into SaaS terms — real examples, the mitigation that actually works, and a check you can run today.

Read post

Security.

Latest Security posts

Two-factor authentication done right: TOTP, WebAuthn, and passkeys

Webhook security: HMAC verification, replay protection, and idempotency

OWASP Top 10 for SaaS applications in 2026